Re: client-side support for Negotiate authentication scheme

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: client-side support for Negotiate authentication scheme

Bruno Harbulot
Hi Roman and Jerome,

Sorry for the delay. I've just added the tarball to the issue tracker:
   http://restlet.tigris.org/issues/show_bug.cgi?id=444

Best wishes,

Bruno.

Jerome Louvel wrote:

> Hi Bruno,
>
> I would suggest that you attach a zip with your source code to the existing
> issue in the tracker (or a new one).
>
> Once, we create the 1.1 branch, we could use the trunk to land this but it
> is a bit premature for now.
>
> Best regards,
> Jérôme Louvel
> --
> Restlet ~ Founder and Lead developer ~ http://www.restlet.org
> Noelios Technologies ~ Co-founder ~ http://www.noelios.com
>
>
> -----Message d'origine-----
> De : news [mailto:[hidden email]] De la part de Bruno Harbulot
> Envoyé : mercredi 1 octobre 2008 12:50
> À : [hidden email]
> Objet : Re: client-side support for Negotiate authentication scheme
>
> Hi all,
>
> I'd be happy to put it in the Restlet repository. Jerome, do you have
> any preferred place in the repository for this?
> By the way, I had mentioned I had started some work on the structure of
> the Guards, etc. (mostly for my project's needs but that could be used
> for 1.2). Perhaps it could be time to put it somewhere in the Restlet
> code-base too.  I was going to wait for the 1.1 release, but if Roman is
> doing some work on this type of problem too, we might as well try to
> coordinate our work.
>
> Best wishes,
>
> Bruno.
>
>
> Roman Geus wrote:
>> Hi Jerome
>>
>> Thanks for pointing out the necessary steps.
>>
>> I'll wait until Bruno's code has been contributed to the repository and
>> then do my part.
>>
>> Best regards,
>> Roman
>>
>>
>> Jerome Louvel wrote:
>>> Hi Roman, Bruno and all,
>>>  
>>> Roman, thanks for reporting this parsing bug with WWW-Authenticate
>>> HTTP header. I have just fixed it in SVN trunk.
>>>  
>>> Regarding the support for SPNEGO, I've updated the related RFE with a
>>> link to Bruno's original filter and another one back to this thread.
>>> I've also changed the target milestone of this RFE to 1.2 as it seems
>>> there is a good chance we could effectively add support for it.
>>>  
>>> "Support SPNEGO authentication"
>>> http://restlet.tigris.org/issues/show_bug.cgi?id=444
>
>

Reply | Threaded
Open this post in threaded view
|

Re: client-side support for Negotiate authentication scheme

Roman Geus
Hi all

I have added NegotiateFilter as an attachment to
http://restlet.tigris.org/issues/show_bug.cgi?id=444

Please note that will be starting a new job in two weeks and I will not
be able to work with Restlet in the foreseeable future in my day job.

Working with Restlet and its responsive community has been a great
experience for me. I wish you and the Restlet project the best luck!

Roman

PS: a copy of the README file...

> NegotiateFilter is a Restlet filter that implements Negotiate and Basic
> authentication on both the client and the server side. The server
> accepts both
> SPNEGO and Kerberos v5 GSSAPI tokens.
>
> If HTTP Negotiate authentication is not successful the filter tries to
> fall back
> to HTTP Basic authentication.
>
> The checkSecret() method is used to implement HTTP Basic
> authentication. The
> MyNegotiateFilter example subclass uses JAAS to check the
> username/password
> combination.  
>
> NegotiateFilter comes with a runnable test client and test server
> (using the
> JAX-RS extension).
>
> The code has only been tested for a few weeks in a Windows Active
> Directory
> environment but theoretically should work with any Kerberos v5
> infrastructure.
>
> HTTP Negotiate authentication has been successfully tested with
> Firefox and
> Internet Explorer webbrowsers as clients. The fallback to HTTP Basic
> authentication has been tested with Firefox, Internet Explorer,
> Safari, Opera
> and Google Chrome.
>
> The code has been tested with Restlet 1.1.1.
>
> The jaas.conf file and the some constants in ExampleClient.java and
> some system
> properties contain site-specific information and need to be adjusted.
>
> Also a working keytab file and krb5.conf file (or similar) are needed.
>
> See the *.launch file for information how to set the system properties.
>
> The NegotiateFilter class is based on Bruno Harbulot's SpnegoFilter
> (see the
> NegotiateFilter.java source file for license details).

Bruno Harbulot wrote:

> Hi Roman and Jerome,
>
> Sorry for the delay. I've just added the tarball to the issue tracker:
>   http://restlet.tigris.org/issues/show_bug.cgi?id=444
>
> Best wishes,
>
> Bruno.
>
> Jerome Louvel wrote:
>> Hi Bruno,
>>
>> I would suggest that you attach a zip with your source code to the
>> existing
>> issue in the tracker (or a new one).
>>
>> Once, we create the 1.1 branch, we could use the trunk to land this
>> but it
>> is a bit premature for now.
>>
>> Best regards,
>> Jérôme Louvel
>> --
>> Restlet ~ Founder and Lead developer ~ http://www.restlet.org
>> Noelios Technologies ~ Co-founder ~ http://www.noelios.com
>>
>>
>> -----Message d'origine-----
>> De : news [mailto:[hidden email]] De la part de Bruno Harbulot
>> Envoyé : mercredi 1 octobre 2008 12:50
>> À : [hidden email]
>> Objet : Re: client-side support for Negotiate authentication scheme
>>
>> Hi all,
>>
>> I'd be happy to put it in the Restlet repository. Jerome, do you have
>> any preferred place in the repository for this?
>> By the way, I had mentioned I had started some work on the structure
>> of the Guards, etc. (mostly for my project's needs but that could be
>> used for 1.2). Perhaps it could be time to put it somewhere in the
>> Restlet code-base too.  I was going to wait for the 1.1 release, but
>> if Roman is doing some work on this type of problem too, we might as
>> well try to coordinate our work.
>>
>> Best wishes,
>>
>> Bruno.
>>
>>
>> Roman Geus wrote:
>>> Hi Jerome
>>>
>>> Thanks for pointing out the necessary steps.
>>>
>>> I'll wait until Bruno's code has been contributed to the repository
>>> and then do my part.
>>>
>>> Best regards,
>>> Roman
>>>
>>>
>>> Jerome Louvel wrote:
>>>> Hi Roman, Bruno and all,
>>>>  
>>>> Roman, thanks for reporting this parsing bug with WWW-Authenticate
>>>> HTTP header. I have just fixed it in SVN trunk.
>>>>  
>>>> Regarding the support for SPNEGO, I've updated the related RFE with
>>>> a link to Bruno's original filter and another one back to this
>>>> thread. I've also changed the target milestone of this RFE to 1.2
>>>> as it seems there is a good chance we could effectively add support
>>>> for it.
>>>>  
>>>> "Support SPNEGO authentication"
>>>> http://restlet.tigris.org/issues/show_bug.cgi?id=444
>>
>>
>

Reply | Threaded
Open this post in threaded view
|

Re: client-side support for Negotiate authentication scheme

Rob Heittman
Good luck, Roman, and thanks!  This is really a cool feature.  We
don't do much work with Windows authenticated environments any more
(thank heaven) but there are so many cases where this would have been
a game changer, and I'm sure it will come up more than once in the
future.

On Thu, Nov 13, 2008 at 6:32 AM, Roman Geus <[hidden email]> wrote:
> Please note that will be starting a new job in two weeks and I will not be
> able to work with Restlet in the foreseeable future in my day job.
Reply | Threaded
Open this post in threaded view
|

Re: client-side support for Negotiate authentication scheme

Thierry Boileau
In reply to this post by Roman Geus
Hello Roman,

that was a pleasure to work with you too!
Thanks a lot for your contribution and your nice message.
Good luck for the future!


Best regards,
Thierry Boileau
--
Restlet ~ Core developer ~ http://www.restlet.org
Noelios Technologies ~ Co-founder ~ http://www.noelios.com


Hi all

I have added NegotiateFilter as an attachment to http://restlet.tigris.org/issues/show_bug.cgi?id=444

Please note that will be starting a new job in two weeks and I will not be able to work with Restlet in the foreseeable future in my day job.

Working with Restlet and its responsive community has been a great experience for me. I wish you and the Restlet project the best luck!

Roman

PS: a copy of the README file...
NegotiateFilter is a Restlet filter that implements Negotiate and Basic
authentication on both the client and the server side. The server accepts both
SPNEGO and Kerberos v5 GSSAPI tokens.

If HTTP Negotiate authentication is not successful the filter tries to fall back
to HTTP Basic authentication.

The checkSecret() method is used to implement HTTP Basic authentication. The
MyNegotiateFilter example subclass uses JAAS to check the username/password
combination. 
NegotiateFilter comes with a runnable test client and test server (using the
JAX-RS extension).

The code has only been tested for a few weeks in a Windows Active Directory
environment but theoretically should work with any Kerberos v5 infrastructure.

HTTP Negotiate authentication has been successfully tested with Firefox and
Internet Explorer webbrowsers as clients. The fallback to HTTP Basic
authentication has been tested with Firefox, Internet Explorer, Safari, Opera
and Google Chrome.

The code has been tested with Restlet 1.1.1.

The jaas.conf file and the some constants in ExampleClient.java and some system
properties contain site-specific information and need to be adjusted.

Also a working keytab file and krb5.conf file (or similar) are needed.

See the *.launch file for information how to set the system properties.

The NegotiateFilter class is based on Bruno Harbulot's SpnegoFilter (see the
NegotiateFilter.java source file for license details).

Bruno Harbulot wrote:
Hi Roman and Jerome,

Sorry for the delay. I've just added the tarball to the issue tracker:
  http://restlet.tigris.org/issues/show_bug.cgi?id=444

Best wishes,

Bruno.

Jerome Louvel wrote:
Hi Bruno,

I would suggest that you attach a zip with your source code to the existing
issue in the tracker (or a new one).

Once, we create the 1.1 branch, we could use the trunk to land this but it
is a bit premature for now.

Best regards,
Jérôme Louvel
-- 
Restlet ~ Founder and Lead developer ~ http://www.restlet.org
Noelios Technologies ~ Co-founder ~ http://www.noelios.com


-----Message d'origine-----
De : news [[hidden email]] De la part de Bruno Harbulot
Envoyé : mercredi 1 octobre 2008 12:50
À : [hidden email]
Objet : Re: client-side support for Negotiate authentication scheme

Hi all,

I'd be happy to put it in the Restlet repository. Jerome, do you have any preferred place in the repository for this?
By the way, I had mentioned I had started some work on the structure of the Guards, etc. (mostly for my project's needs but that could be used for 1.2). Perhaps it could be time to put it somewhere in the Restlet code-base too.  I was going to wait for the 1.1 release, but if Roman is doing some work on this type of problem too, we might as well try to coordinate our work.

Best wishes,

Bruno.


Roman Geus wrote:
Hi Jerome

Thanks for pointing out the necessary steps.

I'll wait until Bruno's code has been contributed to the repository and then do my part.

Best regards,
Roman


Jerome Louvel wrote:
Hi Roman, Bruno and all,
 
Roman, thanks for reporting this parsing bug with WWW-Authenticate HTTP header. I have just fixed it in SVN trunk.
 
Regarding the support for SPNEGO, I've updated the related RFE with a link to Bruno's original filter and another one back to this thread. I've also changed the target milestone of this RFE to 1.2 as it seems there is a good chance we could effectively add support for it.
 
"Support SPNEGO authentication"
http://restlet.tigris.org/issues/show_bug.cgi?id=444